There’s a new type of threat out there: quishing involves the use of fraudulent QR codes, emailed by threat actors, to bypass the phishing security measures put in place by companies.
Sophos has conducted Sophos-X research to better understand the threat.
The fraudulent QR code, embedded in a PDF document attached to an email, takes the form of a message about payroll, employee benefits, or other forms of official paperwork a business might send to an employee.
Because QR codes are not readable by computers, the employee must scan the QR code using their mobile phone.
The QR code links to a phishing page, which the employee may not recognise as malicious since phones usually are less protected than a computer.
The goal of the attackers is to capture employees’ passwords and their multi-factor authentication (MFA) tokens in order to access a company’s system by bypassing the security measures in place.
“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” comments Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document.”
In addition to social engineering tactics, the quality of emails, attachments and QR code graphics, these attacks seem to be growing in terms of organisation as well. Indeed, some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes. In addition to features such as CAPTCHA bypasses or the generation of IP address proxies to bypass automated threat detection, these criminal organisations provide a sophisticated phishing platform that can capture the credentials or MFA tokens of targeted individuals.